<html>
<head><meta charset="utf-8"><title>PyPI malware attack · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/PyPI.20malware.20attack.html">PyPI malware attack</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="228527576"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/PyPI%20malware%20attack/near/228527576" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/PyPI.20malware.20attack.html#228527576">(Mar 03 2021 at 03:07)</a>:</h4>
<p><a href="https://github.com/pypa/pypi-support/issues/923">https://github.com/pypa/pypi-support/issues/923</a></p>



<a name="228527649"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/PyPI%20malware%20attack/near/228527649" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/PyPI.20malware.20attack.html#228527649">(Mar 03 2021 at 03:08)</a>:</h4>
<p><a href="https://github.com/cupy/cupy/issues/4787">https://github.com/cupy/cupy/issues/4787</a></p>



<a name="228532238"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/PyPI%20malware%20attack/near/228532238" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Quy Nguyen <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/PyPI.20malware.20attack.html#228532238">(Mar 03 2021 at 04:06)</a>:</h4>
<p>This cupy issue would be resolved decently well with some concept of namespaces. Typosquatting in general could probably bee detected using edit-distance in some way, but the amount of false positives that would generate might be intractable...</p>



<a name="228620469"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/PyPI%20malware%20attack/near/228620469" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/PyPI.20malware.20attack.html#228620469">(Mar 03 2021 at 16:20)</a>:</h4>
<p>typosquatting seems like an underappreciated problem, especially in the context of things like IDEs that run package managers as you type...</p>



<a name="228628112"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/PyPI%20malware%20attack/near/228628112" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/PyPI.20malware.20attack.html#228628112">(Mar 03 2021 at 17:04)</a>:</h4>
<p>FWIW, I'm on the Python Security Response Team, where reports of malicious PyPI packages go.</p>
<p>I'm 100% convinced that the current approach is untennable. Reports of malicious packages are easily teh <a href="https://github.com/rust-lang/rust/issues/1">#1</a> source of reports to <a href="mailto:security@python.org">security@python.org</a>. They're also a pain to manually moderate, they require a PyPI admin to review the package and its author for _intent_, and because the remediation action is removing the package, this is a privileged action that can't be widely delegated.</p>
<p>At this point I'm pretty convinced of the merits of Go's solution: URLs seem to be harder to typo-squat (they're usually copy pasted instead of manually typed) and also it outsources the problem of moderation to github or whoever else, freeing up the mostly-volunteer OSS team to do other things.</p>
<p>There may be other solutions to this problem than Go's, but I believe strongly that you need a structural change to packaging to really solve this.</p>



<a name="228645302"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/PyPI%20malware%20attack/near/228645302" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/PyPI.20malware.20attack.html#228645302">(Mar 03 2021 at 18:46)</a>:</h4>
<p><span class="user-mention" data-user-id="130046">@Alex Gaynor</span> that has the "left pad" tradeoff though...</p>



<a name="228645407"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/PyPI%20malware%20attack/near/228645407" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/PyPI.20malware.20attack.html#228645407">(Mar 03 2021 at 18:47)</a>:</h4>
<p>That the author might delete the GH repo?</p>
<p>Go mitigates that with the caching proxy + sumdb.</p>



<a name="228647361"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/PyPI%20malware%20attack/near/228647361" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/PyPI.20malware.20attack.html#228647361">(Mar 03 2021 at 18:59)</a>:</h4>
<p>aah</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>